Investigations by forensic experts reveal that a considerable amount of protected health information may have been compromised.

Alive Hospice, with three campuses in Tennessee, has notified an undisclosed number of affected individuals after it suffered three email phishing attacks between December 2017 and May 2018.

In December an employee’s email account was accessed in December, but preliminary investigations found no unauthorized access to personal information. The employee’s email password was changed, but in April, the same employee’s email account information was accessed through a phishing attack. The organization said it then changed that employee’s access to the system.

The health system conducted a review in the middle of May and discovered ongoing unauthorized activity in the employee’s email account that may have compromised patients’ personal information.

After another investigation was conducted which was assisted by forensic specialists, it was discovered that two Alive Hospice employee email accounts had been accessed without authorization. Officials of the health system in a statement said that a considerable amount of protected health information may have been compromised.

In a notice on the incident, Alive Hospice executives said there is no evidence any information has been subject to actual or attempted misuse. “While Alive Hospice already has stringent security measures in place to protect information in its systems, Alive Hospice also is implementing additional safeguards to protect the security of information,” the notice indicated. The hospice is offering affected individuals one year of identity protection services from ID Experts.